Page MenuHomePhabricator
Create Task
Maniphest T129738

Blocked accounts on BlockDisablesLogin wikis aren't logged out
Closed, ResolvedPublic
Actions

Assigned To
Bawolff
Authored By
Multichill
Mar 12 2016, 12:46 PM
Tags
Referenced Files
F4286681: 0001-Revert-Make-wgBlockDisablesLogin-also-restrict-logge.patch
Jul 18 2016, 10:44 PM
F4284815: T129738-part2-REL1_23.patch
Jul 18 2016, 9:27 AM
F4284818: T129738-part1-REL1_26.patch
Jul 18 2016, 9:27 AM
F4284819: T129738-part2-REL1_26.patch
Jul 18 2016, 9:27 AM
F4284814: T129738-part1-REL1_23
Jul 18 2016, 9:27 AM
F4284822: T129738-part2-REL1_27.patch
Jul 18 2016, 9:27 AM
F4284820: T129738-part1-REL1_27.patch
Jul 18 2016, 9:27 AM
F4232102: [v3] Make wgBlockDisablesLogin restrict logged in users rights to anon
Jul 3 2016, 7:46 PM
View All 12 Files
Subscribers
Aklapper
Bawolff
csteipp
DC
demon
gerritbot
Glaisher
View All 22 Subscribers

Description

About a month ago I decided to quit OTRS. I had my account removed.

When I try to login I get this nice message, so far so good:

Login error 
 This account has been closed, most likely due to inactivity. Inactive accounts are routinely closed to maintain the security of the OTRS system/wiki and to make sure that only those who need access have it. If you require further information, or would like to discuss having your account re-activated, contact an OTRS administrator through their individual talk pages/e-mails or by writing an e-mail to volunteers-otrs [at] wikimedia [dot] org.

But I still had a logged in session and in that session I can still see all the private information on https://otrs-wiki.wikimedia.org . This is an information leak. Closed down accounts shouldn't be able to see anything anymore.

Judging from https://otrs-wiki.wikimedia.org/wiki/Special:ListGroupRights the group "Inactive users" was created for this, but if you compare https://otrs-wiki.wikimedia.org/w/index.php?title=Special:ListUsers&group=inactive to https://otrs-wiki.wikimedia.org/wiki/List_of_accounts/closed than you'll notice that lot's of users are not in there. https://otrs-wiki.wikimedia.org/w/index.php?title=Special:ListUsers&offset=&limit=5000&username=&group= gives an even better overview.

My guess is to fix this, all blocked accounts should be placed in the inactive user group. Probably a regular check should be performed to see if the blocked and inactive users are still in sync.

This problem might exist on other private wiki's.

Patches

Details

SubjectRepoBranchLines +/-
SECURITY: Make $wgBlockDisablesLogin also restrict logged in permissionsmediawiki/coreREL1_27+47 -14
SECURITY: Make $wgBlockDisablesLogin also restrict logged in permissionsmediawiki/coremaster+47 -14
SECURITY: Make blocks log users out if $wgBlockDisablesLoginmediawiki/coreREL1_27+8 -0
SECURITY: Make $wgBlockDisablesLogin also restrict logged in permissionsmediawiki/coreREL1_26+48 -14
SECURITY: Make $wgBlockDisablesLogin also restrict logged in permissionsmediawiki/corefundraising/REL1_27+48 -14
Make blocks log users out if $wgBlockDisablesLoginmediawiki/corefundraising/REL1_27+8 -0
SECURITY: Make blocks log users out if $wgBlockDisablesLoginmediawiki/coreREL1_26+8 -0
SECURITY: Make $wgBlockDisablesLogin also restrict logged in permissionsmediawiki/coreREL1_23+44 -11
SECURITY: Make blocks log users out if $wgBlockDisablesLoginmediawiki/coreREL1_23+6 -0
SECURITY: Make blocks log users out if $wgBlockDisablesLoginmediawiki/coremaster+8 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
Tgr edited projects, added MediaWiki-Core-AuthManager; removed MediaWiki-User-login-and-signup.Mar 13 2016, 12:31 AM

There are two ways to handle this:

  • check blocks on every request - expensive
  • log the user out (change the token) when blocked - does not work for IP blocks, probably worse UX-wise (blocking and then unblocking a user leaves them logged out), must be reimplemented in auth extensions which might be nontrivial (e.g. on a SUL wiki the user gets logged out of all other wikis as well).

Probably the first is the way to go, with some sort of caching.

Krenair added a project: Vuln-Infoleak.Mar 13 2016, 12:39 AM
In T129738#2115180, @Multichill wrote:
In T129738#2114985, @Krenair wrote:

Not an Znuny bug, this is for MediaWiki

Also, I think this is an issue with wgBlockDisablesLogin and session handling code - the inactive group was from the DisableAccount extension IIRC

It directly affects the security of our OTRS system so I would keep the Znuny project on it.

It's not a ticket.wikimedia.org issue so it's not Znuny (see the project description). otrs-wiki is not actually OTRS itself, and AFAICT there is no suggestion that this issue is specific to otrs-wiki - actually, your description says "This problem might exist on other private wiki's."
The only OTRS link I can find here is that the wiki you discovered it on is called otrs-wiki.

In T129738#2115180, @Multichill wrote:

The whole blocking system is all about preventing people to edit, not about preventing people to login or read. If I block someone on say Wikidata, I still want that person to be able to login so they can respond on their user talk page. Using blocks to prevent people from reading feels flawed to me, the system was never designed for that.

It is about that as well actually. Read the documentation: https://www.mediawiki.org/wiki/Manual:$wgBlockDisablesLogin.

In T129738#2115182, @Multichill wrote:

Oh, why did you completely change the scope of this ticket @Krenair ? This is a specific security incident that needs a specific fix to prevent a leak of private data. This is not a hypothetical issue, see for example https://commons.wikimedia.org/w/index.php?title=Commons%3AAdministrators%2FRequests%2FThe_Photographer&type=revision&diff=189005015&oldid=188843954

I didn't completely change the scope of this ticket. I did not move it out of security. I am not claiming it is hypothetical.

Krenair renamed this task from Closed accounts on otrs-wiki aren't logged out and can still see private information to Blocked accounts on BlockDisablesLogin wikis aren't logged out.Mar 13 2016, 12:39 AM
MaxSem subscribed.Mar 13 2016, 1:01 AM
In T129738#2115185, @Tgr wrote:
  • log the user out (change the token) when blocked - does not work for IP blocks, probably worse UX-wise (blocking and then unblocking a user leaves them logged out), must be reimplemented in auth extensions which might be nontrivial (e.g. on a SUL wiki the user gets logged out of all other wikis as well).

None of the BlockDisablesLogin wikis are SUL-enabled on WMF, and this generally makes no sense for third parties, too. So in order to both fix this issue and preserve UX, we only need to log out when blocking on such wikis.

Tgr added a comment.Mar 13 2016, 2:24 AM
In T129738#2115191, @MaxSem wrote:

None of the BlockDisablesLogin wikis are SUL-enabled on WMF, and this generally makes no sense for third parties, too.

Well, using CentralAuth generally makes no sense for third parties (although it still happens). But apart from that, having a private wikifarm with single sign-on is perfectly sensible.

csteipp triaged this task as High priority.Mar 15 2016, 7:08 PM
  • log the user out (change the token) when blocked - does not work for IP blocks, probably worse UX-wise (blocking and then unblocking a user leaves them logged out), must be reimplemented in auth extensions which might be nontrivial (e.g. on a SUL wiki the user gets logged out of all other wikis as well).

I think this is the right way to go, despite the complexity.

Bawolff subscribed.Mar 20 2016, 11:17 PM
In T129738#2123780, @csteipp wrote:
  • log the user out (change the token) when blocked - does not work for IP blocks, probably worse UX-wise (blocking and then unblocking a user leaves them logged out), must be reimplemented in auth extensions which might be nontrivial (e.g. on a SUL wiki the user gets logged out of all other wikis as well).

I think this is the right way to go, despite the complexity.

Also, in the private wiki case, we're mostly concerned about direct blocks. I don't think it really matters in this case for IP blocks, range blocks, etc.

Bawolff added a comment.Apr 19 2016, 1:50 PM

My guess is to fix this, all blocked accounts should be placed in the inactive user group. Probably a regular check should be performed to see if the blocked and inactive users are still in sync.

We actually do have APCOND_BLOCKED for $wgAutopromote in order to make an implicit group for blocked users, if we wanted to go that route.

Bawolff added a project: Patch-For-Review.Apr 19 2016, 2:31 PM

OTOH: Having the user be logged out at time of block seems a bit more fragile. In addition to various auth plugins, its also essentially doing a permission check at time of permission change, instead of at time of action.

Maybe we should do both approaches? Then it will also work with IP based blocks too.

Make Blocks log out user in question if $wgBlockDisablesLogin is set1 KBDownload

The above patch logs users out upon block (For vanilla MW, and only for direct blocks)

Change permissions to make blocked users like anon when BlockDisablesLogin3 KBDownload

This patch extends block handling, so that if $wgBlockDisableLogin is set, Title::userCan behaves as if the user is an anon. In many ways this seems safer, since the block checking is always done at time of action. And it can't be affected by authentication extensions that do their own loading from session.

hoo added a subscriber: DC.May 16 2016, 3:14 PM
Anomie merged a task: Restricted Task.Jun 3 2016, 5:26 PM
Anomie added subscribers: Glaisher, Natuur12, Zppix, Sjoerddebruin.
Sjoerddebruin added a comment.Jun 3 2016, 9:31 PM

We retain advanced rights on our arbcomwiki after blocking (don't ask me why, i'm new), users are also being able to remove their own block and reset the session so they can read the wiki for 30 days again. Could we please make a decision?

Natuur12 added a comment.Jun 3 2016, 9:57 PM

Regarding what Sjoerd said, I indeed managed to unblock my account at a closed wiki as a test... I wonder why it takes this long to fix an important security issue.

Krenair added a comment.EditedJun 3 2016, 11:00 PM
In T129738#2354690, @Natuur12 wrote:

I wonder why it takes this long to fix an important security issue.

Would you like to rank it against all the other open security issues?

Natuur12 added a comment.Jun 3 2016, 11:32 PM

@Krenair: 9 on a scale of 10. Me (term ended) and the other user left in good faith but I cannot imagine the damage that could have been done if someone who would have left in bad faith wanted to do some real damage. I don't know how the wiki's that contain even more private data than an Arbcomwiki work but I figure they use the same extension. Can you just imagine a rogue user with access to private data wanting to use it do damage without anyone knowing about it?

Honestly, I had the possibility to stay on a closed wiki for a long time using data from that wiki to manipulate an Arbcomcase regarding a block I placed. I would never do such a thing because I care for giving even the worst trolls a fair treatment but still. It shouldn't be possible.

Multichill added a comment.Jun 4 2016, 9:33 AM

So this has been open for several months and nothing happened. Do we have to go whistle blower here? Maybe a nice post to Wikimedia-l so our fans at Wikipediocracy have another topic to ramble about?

To patch up this issue you can just have a daily cronjob that goes over the private wiki's and logs out everyone that is in the blocked list. That's probably just a join of https://www.mediawiki.org/wiki/Manual:Ipblocks_table and https://www.mediawiki.org/wiki/Manual:User_table where user_token IS NOT NULL and ipb_expiry='infinity' and than setting the user_token to NULL. Based on https://nl.wikipedia.org/wiki/Speciaal:WebsiteMatrix that's only 30 wiki's.

That's not a very elegant solution, but it does prevent this from happening until you find a more permanent solution. Waiting for the more permanent solution could take months.

Anomie added a comment.Jun 6 2016, 2:13 PM
In T129738#2218016, @Bawolff wrote:

Make Blocks log out user in question if $wgBlockDisablesLogin is set1 KBDownload

The above patch logs users out upon block (For vanilla MW, and only for direct blocks)

This one looks good to me, but I haven't tested. I might add a comment that it's specifically logging out only on the local wiki, since being blocked on one SUL wiki probably shouldn't force a logout everywhere.

Change permissions to make blocked users like anon when BlockDisablesLogin3 KBDownload

This one mostly looks good to me too, but I haven't tested.

I note the code doesn't quite match your statement here that it "behaves as if the user is anon": If anons can take an action but there's a group that loses the ability thanks to $wgRevokePermissions, User::isEveryoneAllowed() will return false.

RobLa-WMF added subscribers: dpatrick, RobLa-WMF.Jun 7 2016, 10:16 PM
In T129738#2355213, @Multichill wrote:

So this has been open for several months and nothing happened. Do we have to go whistle blower here?

Sorry for all of the delays, but please don't. From what I understand, @Bawolff is taking a look at his April patches to make sure they work with AuthManager. Ping @dpatrick , @Bawolff, and/or myself on IRC if this still looks stalled to you and you need to take action, particularly after 2016W23 has gone by.

Bawolff added a comment.Jun 8 2016, 3:13 AM

I can confirm my patch from April still works post-auth manager and applies cleanly to master.

RobLa-WMF added subscribers: demon, greg.Jun 8 2016, 4:52 AM
In T129738#2363011, @Bawolff wrote:

I can confirm my patch from April still works post-auth manager and applies cleanly to master.

\o/ excellent!

@greg or @demon , do you have advice for what the next step should be?

Bawolff added a comment.Jun 8 2016, 4:54 AM

Next step would be deploy the patch (if its considered reviewed sufficiently). Previously that would have been csteipp, now i guess that is dpatrick (?)

Krenair added a comment.Jun 8 2016, 7:38 AM

Any deployer with security access should be able to deploy it... Assuming it's been adequately reviewed. Actually, why don't you have deployment access @Bawolff?

dpatrick added a comment.Jun 8 2016, 3:00 PM

@Bawolff, thanks for verifying. I plan on deploying this today or tomorrow after testing the patch.

dpatrick added a parent task: T133070: MediaWiki 1.27.1 security release.Jun 8 2016, 9:20 PM
dpatrick mentioned this in T133070: MediaWiki 1.27.1 security release.Jun 9 2016, 6:59 PM
dpatrick added a comment.EditedJun 9 2016, 8:36 PM

This has been tested. Because AuthManager is being enabled on public wikis this week, with the final set happening within a few hours, I'm delaying applying @Bawolff's patches until next week, to allow some time for potentials problems with AuthManager to manifest.

@Multichill Thanks for your patience as we work on scheduling this, and apologies for the delay in getting the issue fixed.

dpatrick added a comment.Jun 13 2016, 10:42 PM

These patches have been deployed:

22:41 dapatrick: Deployed patches for T129738 to wmf5
dpatrick removed a project: Patch-For-Review.Jun 13 2016, 10:48 PM
DC added a subscriber: Schiedsgericht.Jun 14 2016, 12:43 AM
Bawolff closed this task as Resolved.Jun 14 2016, 2:34 AM
Bawolff claimed this task.
Krenair added a comment.Jun 14 2016, 3:36 AM

Shouldn't this stay open until the patch is released to mediawiki master?

Bawolff added a comment.Jun 14 2016, 4:32 AM
In T129738#2378214, @Krenair wrote:

Shouldn't this stay open until the patch is released to mediawiki master?

Other security bugs seem to have been closed once a fix is deployed, and made to block the next release tracking bug (T133070). Then when next security release is happening, bug gets applied to master and made public.

However, I don't particularly feel attached to that methodology (Although it is nice to have the feeling of bugs getting checked off once the main part is done)

DC added a subscriber: Krd.Jun 14 2016, 9:22 AM
Krd added a subscriber: Rjd0060.Jun 14 2016, 9:32 AM
Natuur12 added a comment.Jun 14 2016, 3:13 PM

For now it seem to have worked. Still not logged out but I cannot see anything I should not see. I added a screenshot.

AC-wiki.png (553×1 px, 96 KB)

Bawolff added a comment.Jun 14 2016, 4:33 PM

Re @Natuur12 : so going forward, when anyone new is blocked, they should be logged out. However that doesnt include any of the currently blocked people. The existing blocked people will now just have the blocked notice on all pages.

Krd added subscribers: Matthewrbowker, Moonriddengirl.Jun 14 2016, 6:29 PM
Multichill reopened this task as Open.Jun 14 2016, 7:29 PM
In T129738#2380160, @Bawolff wrote:

Re @Natuur12 : so going forward, when anyone new is blocked, they should be logged out. However that doesnt include any of the currently blocked people. The existing blocked people will now just have the blocked notice on all pages.

So the actual incident for which I filed this task hasn't been resolved yet. Reopening. Should be quite easy to do a one time invalidation run as described in T129738#2355213

Anomie added a comment.Jun 14 2016, 7:36 PM
In T129738#2380811, @Multichill wrote:

So the actual incident for which I filed this task hasn't been resolved yet.

Are you sure about that? There were two changes made here:

  1. When a user is blocked on these wikis, they will also be logged out. But this can't apply to IP blocks.
  2. Blocked users on these wikis effectively have the same rights as an anonymous user when it comes to title permission checks, i.e. if anons can't read pages, the blocked user can't either.

Item #2 should be taking care of your issue for your existing session, and @Natuur12 has stated it's working in their case. Are you not seeing the same behavior?

Natuur12 added a comment.Jun 16 2016, 11:19 PM

No since I can still acces the notification system which could still provide me with info I should not see. Really small change but still.

Bawolff added a comment.Jun 20 2016, 8:09 AM
In T129738#2387658, @Natuur12 wrote:

No since I can still acces the notification system which could still provide me with info I should not see. Really small change but still.

Oh i see. Notifications just checks if you have read rights in general, and not if you have read rights for a specific page.

Bawolff added a project: Patch-For-Review.Jun 29 2016, 9:51 PM

[v2] Remove rights from blocked users if block disables login4 KBDownload

Alternative patch, that prevents the $user->isAllowed() case, but also still does the per-title check for the better error message.

Restricted Application removed a subscriber: Zppix. · View Herald TranscriptJun 29 2016, 9:51 PM
Anomie added a comment.Jun 30 2016, 1:59 PM
In T129738#2416302, @Bawolff wrote:

[v2] Remove rights from blocked users if block disables login4 KBDownload

You should move the limitation to after the UserGetRights hook call, though. Otherwise things like CentralAuth's global rights wouldn't be properly limited.

Nitpicks: At one point you have New User rather than new User, and I don't see the point of the $blkDisablesLogin variable versus just doing $config->get( 'BlockDisablesLogin' ) inside the if.

Bawolff added a comment.Jul 3 2016, 7:46 PM

Thanks.

Modified version:

[v3] Make wgBlockDisablesLogin restrict logged in users rights to anon4 KBDownload

Bawolff added a comment.Jul 3 2016, 7:49 PM

You should move the limitation to after the UserGetRights hook call, though. Otherwise things like CentralAuth's global rights wouldn't be properly limited.

Wait. Doesn't this mean that CentralAuth global group rights aren't being limitted by $this->getRequest()->getSession()->getAllowedUserRights() ?

Anomie added a comment.Jul 5 2016, 2:07 PM
In T129738#2424928, @Bawolff wrote:

You should move the limitation to after the UserGetRights hook call, though. Otherwise things like CentralAuth's global rights wouldn't be properly limited.

Wait. Doesn't this mean that CentralAuth global group rights aren't being limitted by $this->getRequest()->getSession()->getAllowedUserRights() ?

... Yes, it does. That should be fixed.

Anomie added a comment.Jul 5 2016, 2:08 PM
In T129738#2424927, @Bawolff wrote:

[v3] Make wgBlockDisablesLogin restrict logged in users rights to anon4 KBDownload

Code-Review: +1, but we may want to do something here about the existing issue you identified.

Bawolff mentioned this in T139670: Central auth global groups don't take session rights limit into account.Jul 7 2016, 9:19 PM
Bawolff added a comment.Jul 7 2016, 9:21 PM

Split to T139670

Bawolff moved this task from Backlog / Other to Patch pending deployment on the acl*security board.Jul 10 2016, 5:12 PM
Bawolff updated the task description. (Show Details)Jul 18 2016, 9:27 AM
Bawolff added a comment.Jul 18 2016, 10:44 PM

0001-Revert-Make-wgBlockDisablesLogin-also-restrict-logge.patch3 KBDownload
is a patch to revert
Change permissions to make blocked users like anon when BlockDisablesLogin3 KBDownload
in order that we can apply
[v3] Make wgBlockDisablesLogin restrict logged in users rights to anon4 KBDownload
instead.

Bawolff closed this task as Resolved.Jul 18 2016, 11:02 PM

bawolff !log deploy fix for T129738 to php-1.28.0-wmf.10

So the updated version of the patch should be live, which will make echo and everything else be blocked if the user is blocked but for some reason not logged out on a private wiki.

dpatrick added a subscriber: Staypos.Aug 22 2016, 11:30 PM
demon changed the visibility from "Custom Policy" to "Public (No Login Required)".Aug 23 2016, 1:23 AM
demon changed Security from Software security bug to None.
gerritbot subscribed.Aug 23 2016, 1:34 AM

Change 306087 merged by jenkins-bot:
SECURITY: Make blocks log users out if $wgBlockDisablesLogin

https://gerrit.wikimedia.org/r/306087

gerritbot added a comment.Aug 23 2016, 1:37 AM

Change 306115 merged by jenkins-bot:
SECURITY: Make blocks log users out if $wgBlockDisablesLogin

https://gerrit.wikimedia.org/r/306115

MZMcBride subscribed.Aug 23 2016, 1:42 AM
gerritbot added a comment.Aug 23 2016, 1:43 AM

Change 306116 merged by jenkins-bot:
SECURITY: Make $wgBlockDisablesLogin also restrict logged in permissions

https://gerrit.wikimedia.org/r/306116

gerritbot added a comment.Aug 23 2016, 1:52 AM

Change 306106 merged by jenkins-bot:
SECURITY: Make blocks log users out if $wgBlockDisablesLogin

https://gerrit.wikimedia.org/r/306106

gerritbot added a comment.Aug 23 2016, 1:56 AM

Change 306125 had a related patch set uploaded (by Ejegg):
Make blocks log users out if $wgBlockDisablesLogin

https://gerrit.wikimedia.org/r/306125

gerritbot added a comment.Aug 23 2016, 1:56 AM

Change 306126 had a related patch set uploaded (by Ejegg):
SECURITY: Make $wgBlockDisablesLogin also restrict logged in permissions

https://gerrit.wikimedia.org/r/306126

gerritbot added a comment.Aug 23 2016, 1:58 AM

Change 306107 merged by jenkins-bot:
SECURITY: Make $wgBlockDisablesLogin also restrict logged in permissions

https://gerrit.wikimedia.org/r/306107

ReleaseTaggerBot added projects: MW-1.26-release, MW-1.23-release, MW-1.28-release-notes, MW-1.28-release (WMF-deploy-2016-08-23_(1.28.0-wmf.16)).Aug 23 2016, 2:00 AM
gerritbot added a comment.Aug 23 2016, 2:18 AM

Change 306096 merged by jenkins-bot:
SECURITY: Make blocks log users out if $wgBlockDisablesLogin

https://gerrit.wikimedia.org/r/306096

gerritbot added a comment.Aug 23 2016, 2:28 AM

Change 306088 merged by jenkins-bot:
SECURITY: Make $wgBlockDisablesLogin also restrict logged in permissions

https://gerrit.wikimedia.org/r/306088

gerritbot added a comment.Aug 23 2016, 2:33 AM

Change 306125 merged by jenkins-bot:
Make blocks log users out if $wgBlockDisablesLogin

https://gerrit.wikimedia.org/r/306125

gerritbot added a comment.Aug 23 2016, 2:35 AM

Change 306126 merged by jenkins-bot:
SECURITY: Make $wgBlockDisablesLogin also restrict logged in permissions

https://gerrit.wikimedia.org/r/306126

gerritbot added a comment.Aug 23 2016, 2:54 AM

Change 306097 merged by jenkins-bot:
SECURITY: Make $wgBlockDisablesLogin also restrict logged in permissions

https://gerrit.wikimedia.org/r/306097

ReleaseTaggerBot added a project: MW-1.27-release-notes.Aug 23 2016, 3:00 AM
Kghbln mentioned this in T143790: $wgBlockDisablesLogin = true; + $wgEmailConfirmToEdit = true; causes the wiki to be inaccessible for anonymous users.Aug 24 2016, 2:18 PM
Tgr mentioned this in T148600: OAuth /identify endpoint does not check whether consumer is approved.Oct 19 2016, 10:42 PM
Anomie mentioned this in T150987: When global locking a compromised account, if user had pressed remember me, the cookie from the compromised account can be used to get back into the account later.Nov 17 2016, 9:06 PM
Kghbln mentioned this in T151805: Security issues publicly announced, fixed but not released?.Nov 28 2016, 8:43 PM
Tgr mentioned this in T106067: Undeploy DisableAccount extension.Dec 24 2016, 10:30 PM
Anomie mentioned this in T218608: OAuth doesn't work when $wgBlockDisablesLogin is true.Mar 19 2019, 2:05 PM
Tgr mentioned this in T222282: Log users out when they're blocked on wikitech.May 15 2019, 4:53 PM
sbassett moved this task from Patch pending deployment to Done on the acl*security board.Sep 26 2019, 2:37 PM
chasemp added a project: Security.Feb 10 2020, 10:55 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:15 PM
Aklapper removed subscribers: RobLa-WMF, dpatrick, Anomie.Oct 16 2020, 5:40 PM
Zabe mentioned this in T292375: Figure out how to force-logout users cross-wiki.Oct 3 2021, 8:59 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits